When we run an LDAP server for some other organizations, what base DN should we recommend that they choose for their LDAP tree?
The server host name will be under our domain, not theirs. (And the server cert cannot contain name under their domain, so it will only confuse matters if they create a CNAME under their domain which refers to the server.) dc=<their domain>,dc=no still seems the normally best choice. Doesn't allow hostname/DN guessable from each other and won't work like intended with DNS SRV records. But it still avoids the need for administration of names to avoid name conflicts with other organizations. The one problem I see is if they intend to use "our" LDAP server for one kind of clients (probably authentication) may set up some other public LDAP server of their own. They may then (or some time later) want referrals between the servers. A referral can change the DN of the referred entry, but client support for such features vary. Are there other problems? Do anyone have experience with that? And what's a good name if they choose _not_ to use 'dc' structure? Could use o=<org>,c=NO, but I bet some clients won't like UTF-8 in DNs. Maybe the DN doesn't matter greatly in this case, and o=<dc component>,dc=<our domain>,dc=no is just as good. -- Regards, Hallvard --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
